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Overview 




Project Overview 
Current Status 
Proposed Architecture 
Towards 2015 
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Alignment of passive cyber sensor capabilities and 
architecture in the SIGINT and ITS missions 



Goals 

Common sensor technology and architecture 
Address scalability issues in sensor deployments 

Scope 

Passive sensors and supporting infrastructure are in scope 
Analytic tools are out of scope 
^ Host based capability is out of scope (caveat: passive 
messaging is in scope) 
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Our Sensors 

SIGINT / ITS 
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FHiotoiiic Pmih 

Monitoring of GC Networks 



Includes; 

^ Full-Take Packet Capture 

^ Signature Based Detection 

Anomaly Based Discovery 
Analytic Environment 
Oversight Compliance Tools 





Monitoring in Passive SIGINT 



^ Includes: 

Full-Take (on specific accesses) 

Signature Based Detection 
Anomaly Based Discovery 

Additional Functions are offloaded and exist further 
downstream; 

^ Analytic Environment 
Dataflow / Targeting 
^ Oversight and Compliance Tools 
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Shafts of Blud 





EONBLUE 

DELL R610 1U Platform 

- TS//SI Processing 

- Tracking / Discovery 



Content 

Metadata 



lOGbps 



INDUCTION 

Distributed Processing (Cloud) 

- TS//SI Processing 

- Tracking / Discovery 

- PXE Boot Infrastructure 



&hA 



Multiple 

lOGbps 



THIRD-EYE 

Cyber Metadata Processor 

- UNCLASSIFIED Processing 

- Metadata Production 



Metadata 



Multiple 1 Gbps 
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Current Status - SIGINT Deployments 




Special Source 

K 100% INDUCTION coverage of main SSO sites + metadata production 
% THIRD-EYE metadata production at select new sites 

Sg CRUCIBLE deployments to newly emerging sites pre-SCIF environment (survey) 
^ Increase in link speeds 
Warranted Collection 

EONBLUE sensor deployment - full take collection 

% FORNSAT 

3g Recently upgraded to current EONBLUE code base, leveraging GCHQ 
CHOKEPOINT solution to integrate with environment (Virtualized) 

Working on SUNWHEEL / SMO 

^ CHOKEPOINT system enroute to CASSIOPEIA 

3g No SUNWHEEL presence as of yet, plans to leverage CHOKEPOINT capability 
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Current Status - IT Security Deploymei^ 



^ Deployment at 3 edge gateway GC departments 
^ Dynamic defence is enabled at two of these sites 



Deployment at the main government backbone 
^ Dual lOGbps links (~3Gbps loading) 

^ Data volumes continue to increase due to Internet Access Point 
aggregation 



^ Currently performing full take and storage of all monitored 
traffic 

^ System performance issues, overall analyst usability issues 



CLASSIFICATION: TOP SECRET // COMINT // REL FVEY 



CLASSIFICATION: TQP- 



// COMINT // 



Divergence — Sensor Deployments 





While both ITS/SIGINT currently leverage EONBLUE 
software: 

o The architectures are not aligned 
o Configuration differs greatly 

o Software versions are not standard across programs 
o The full capability of EONBLUE is not being leveraged equally 
across programs 
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Divergence 

^ Sensor architectures have diverged between ITS/SIGINT 
^ Within each area, versions are not standardized 

Management and Scalability 
^ Some configurations will not scale 
^ Difficult to manage current sensor environment 
^ High cost to grow existing solution (people, HW/SW costs) 

S Duplication of Effort 

^ Divergence creates duplication of effort 

Limited resources are not focused on innovation and new 
challenges 
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Address performance 
stability issuer with 
SCNEI 






Ensure that SIGINT / 
ITS approach to 
Tracking / Metadata 
Production are aligned 



Improve Query 
Performaace for Full- 
Take Data 




Develop / Implement 
strategy to better do 
Full-Take 



Extend Native 
Messaging Between 
Business Lines 



Ensure Targeting is 
Unified 




Simplify Version 
Management 



Shared Mission Space 



Single Interconnected 
Sensor Grid 




Host / Network 
Interoperability 
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Tr&kin^nd Metadata 




Ensure EONBLUE is deployed in a standard fashion across all 

environments 



Upgrade SCNET to lOGbps 
EONBLUE 



Update all SIGINT collection 
sites to latest code release 




Produce Standard Metadata ! 


DNS Response 
Harvesting 


HTTP Client / 
Server Headers 


IP-to-IP Flow 
Summarizations 
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Address SCNET Scalability 



Reconfiguration / Design of Storage 

Solution 



Improved / Enforced data indexing and 

quering 




1 ! 

Leverage Third-Eye Architecture j. 


Distributed Collection Grid 
(at multiple clients) 


Queries are Federated and 
Centrally Managed 


Enables unique data ingest 
at client department (i.e. 
Firewall Logs) 

Ml, 1 '...■■II nil ' 
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^ Benefits 

^ Improve Performance 

Better data indexing techniques 
Federated queries across multiple systems 
^ Reduced Cost (Storage local to client departments) 

10,000$ -> 25,000$ per client 
Re-use of back-end Storage 

^ Enable departmental security officers / operators 

Capability of Third-Eye exceeds what is commercially available 

S Cons 

^ Requires network connections to each GC Department 
^ Requires footprint within each departments datacenter 
^ Complexity of distributed processing 

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY 





Messages should be automatically exchanged between SIGINT 

and ITS/CTEC 



The sensor environment will be connected to enable seamless 

message flows 




Targeting selectors for Cyber Threats will be unified 



When updates are made to SIGINT sensors the selectors will be 
automatically replicated for ITS 



JAZZFLUTE should support ITS analysts targeting SIGINT 

systems 



* 



Simplify Sensor Version Management 



Rapid deployment of new capability 
seamless across all programs / sites 



Distributed Induction (Across WAN) 




EBSH: Sensor has custom CLI like a 
switch and supports inline binary updates 
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Interoperability enables Synchronization 



X ITS access to data collected by SIGINT sensors 

Outputs should be common to enable a common analyst platform 
i€ Sensor environment should be seamlessly integrated 



Capability remains at cutting-edge 

§€ Single release for all collection programs in SIGINT, all points of 
presence, and across both missions 
§€ Management is simplified for operators, focusing on sensor 
expansions 

Standardized OS Versions and Optimizations 
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Unified Sensor Environment 
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Synchronized Deployment Strategy 




Where do you deploy sensors to maximize detection 
capabilities for Foreign Intelligence collection and Network 
Defence 

^ Coverage-based deployment considerations - what are the 
gaps? 




S Threat-based deployment considerations - what are the gaps? 
Based on EPRs 

Threat trends and forecasting reports 
Adversary TTPs 
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Canadim Cyber Sensor Grid 





Foreign 
Internet Space 



Secure Channel 



FORNSAT 



Foreign Internet Space 



Canadian Internet Space 



System of 
Importance 



Foreign Internet Space 



Foreign 
Internet Space 



Defensive Monitoring 



Special Source / Special Access 
Warranted Access 
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GAZEBO Access 
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Strategic Priorities for CSEC 

^ Strengthen “Team CSEC” and Prepare for Our New Facility 
^ Adopt Innovative and Agile Business Solutions 

% Expand Our Access Footprint 
Improve Analytic Tradecraft 

^ Automate Manual Processes 

K Synchronize the Cryptologic Enterprise for Cyber Security 
Mission 

^ Enable ^^Effects^^ for Threat Mitigation 
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Cybir Sensor in 2015 




^ Expand Our Access Footprint 

^ We will increase SPECIAL SOURCE aceess to include all 
international gateways accessible from Canada. 

^ We will deploy a sensor system that creates a protective grid at 
multiple layers over Government operations in Canada, and at all 
classification levels. 



^ Improve Analytic Tradecraft 

^ We will equip SIGINT and cyber defence analysts with tools for 
flexible manipulation and customized analysis of large scale data 
sets. 

^ We will build analytic tradecraft that understands, anticipates, 
and exploits the methodology of threat agents to provide 
comprehensive cyber- situational awareness based on multiple 
sources of cryptologic data. 
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Cy^r Sensor in 2015 




^ Synchronize the Cryptologic Enterprise for the Cyber Security Mission 

^ We will improve how we anticipate, identify, track and mitigate cyber threats on 
government systems through new concepts of joint operations. 

^ We will design and develop joint SIGINT-ITS systems, including common data 
repositories, joint tasking and analytic systems. 

^ We will increase operational capacity by ensuring SIGINT, ITS, and cryptologic 
partner sensors interoperate seamlessly. 

^ We will synchronize and use ITS and SIGINT capabilities and complementary 
analyses to thwart cyber threats. 



^ Enable ^^Effects^^ for Threat Mitigation 

^ We will seek the authority to conduct a wide spectrum of Effects operations in 
support of our mandates. 

We will build the technical infrastructure, policy architecture and tradecraft 
necessary to conduct Effects operations. 

§€ We will further integrate ITS and SIGINT authorities and operations to leverage 
common sensors, systems and capabilities necessary for active and expanded 
dynamic cyber defence measures. 
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The Network Is The Sensor 







Principles 






Security needs to be 
transparent to the 
user in order to be 
effective 



Security is a right for all 
Canadians 

• Federal Govemincm 

• Municipal / Provincial Gov 

• Critical Infrastructure 

• Industry 

• The Citizen 



End-Users should 
incur little cost for 
security 



IT Assets should be 
distributed 



Access is mandate / 
authority agnostic 



Goals 



Detect threats as they 
enter our national 
networks, not at the 
Gateway 



Identify Exfiltration, 
Command and 
Control, anywhere in 
our national networks 



The network is your 
defence for all 
infrastructure 



Rationale 



We can’t keep pace with 
our adversary 




Gateway / Device / End- 
Node protection is not 
sufficient (essential, yes) 
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3^ Security is Transparent 

36 If security inhibits functionality, or interferes with user experience 
it will be bypassed 



36 Security is a right 

36 Attempting to protect everybody with end-node / gateway 
defenses is not feasible. 

36 IT Assets should be distributed 

36 We run an open market, network providers will compete to 
provide access 

36 Consolidated gateways creates single points of failure 
36 Cost / Redundancy considerations 
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Goals 



36 Detection before attack hits target 

36 If we wish to enable defence we must have intelligence to know 
when attacks enter our national infrastructure 

36 Identify Exfiltration / Command and Control 

3€ Some attacks will slip through or can’t be seen (i.e. shaping) 

36 Exploit our temporal advantage - aggressively pursue these 
impl an ts as they will communicate ‘home’ for instruction 

36 The Network IS your Defence 

36 In some cases, in cooperation with our partners we can affect 
change at the CORE of the Internet on detection: 

Modify traffic routes 

Silently discard malicious traffic (hygiene filtering) 

Insert payload to disrupt adversaries 
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Keeping pace with the Adversary 

^ From the time a malicious PDF is opened, till SEED SPHERE has 
interactive control of a workstation is <3 minutes 

^ There are countless malicious actors (state, crime, generic malware) 

^ Gateway / End-Node Defence by itself is insufficient 
^ It is only one part of the problem 

^ Over 600,000 Apps in the iTunes AppStore (How do you secure that?) 

^ Defence in Depth includes network monitoring, and network interaction 

^ Build better Defence 

^ Our current MO is to resolve one incident at a time 

^ Automate the defence through a robust network capable of not only 
detection, but manipulation of malicious traffic 
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What does it Mean? 




^ EONBLUE will be integrated into the Network 
^ Monitoring Government of Canada 

^ Monitoring Core Infrastructure (Special Source) extending the 
reach to view national infrastructure 

^ Monitoring foreign Internet Space 

56 EONBLUE will enable defensive operations 

56 Through robust communication with host-based capabilities 
56 Through direct manipulation of network communications 
56 Through interaction with Teleco infrastructure to affect change 
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Changing the way we think 







^ Tipping and Cueing 

^ If the purpose is to enable defence of national infrastructure it becomes 
unnecessary in a 5 -eyes context 

We have full visibility of our national infrastructure 

The chance of ‘beating’ the internet for latency of an attack is minimal 

The network will perform the filtering 

^ What if instead T&C enables intelligence collection (Cyber Session 
Collection)? 

^ T argeting and T asking 

^ We all share common targets and we will all target using our national capability 
the cyber threats we know about 

^ No need for 2"“^ party tasking / targeting requests. Instead expose cyber 
information across the community 

^ What if instead we focus on analytic collaboration and knowledge transfer 
TEXPRO information, federated repositories (malware /traffic), etc 
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Changing the way we think 










^ Foreign SIGINT Intercept 

^ Becomes the ‘hunting ground’ for discovery of new threats 

^ Enables attribution and counter-intelligence reporting 

^ Defence is taken care of by ‘The Network’ 

^ Mobile Platforms are the next frontier, what is their implication 
on Cyber? 



^ Domestic Defence 

^ We will exhaust the treasury deploying network appliances to 
perform dynamic defence 

^ The same capabilities will be integrated into the CORE of the 
Internet 

^ Defence in Depth through complimentary capabilities on end- 
nodes, at the gateway, and in the core of the Internet. 
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^ CASCADE 

^ The harmonization of ITS/SIGINT Sensor capabilities 

^ Lays the foundation for long-term integration of Cyber within the 
Cryptologic Enterprise 

^ Towards 2015 

^ The Network is the Sensor 

Defence, Mitigation, Intelligence all formed from a single 
comprehensive network creating a perimeter around Canada 

Extending our reach through 5-eyes partnerships to ensure mutual 
defence of national assets. 
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Project Overview 
Current Status 
Proposed Architecture 
Towards 2015 
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Alignment of passive cyber sensor capabilities and 
architecture in the SIGINT and ITS missions 

Goals 

Common sensor technology and architecture 
Address scalability issues in sensor deployments 

Scope 

^ Passive sensors and supporting infrastructure are in scope 
Analytic tools are out of scope 

^ Host based capability is out of scope (caveat: passive 
messaging is in scope) 
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What is the project about? 

Define the goal of this project 

Is it similar to projects in the past or is it a new effort? 

Define the scope of this project 

Is it an independent project or is it related to other projects? 

* Note that this slide is not necessary for weekly status meetings 
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Our Sensors 



SIGINT / ITS 




Photonic Prism 

Monitoring of GC Networks 
Includes: 

^ ITill- l ake Paekei Capiiiio 
^ Sion.imre Based IMeeiion 
^ Anomaly B.ised Diseoveiy 
An.ilylie l-nvironmeni 
^ Oversight Complianee Tools 



^ EONBLTOE 

^ Monitoring in Passive SKIIN’ I 
^ Includes; 

l ull- 1 akc (on spcdlic accesses) 

^ Signature Based Detection 
^ Anomaly Ikised Discover)' 

^ Additional Tunclions are olfloaded and exist liiither 
dowtistream; 

Analytic laivironment 
^ Datallow largeting 

Oversight and Compliance fools 
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Content 



ontent 

etadata 



Metadata 



lOQbps 



EONBLUE 

DELL R610 1U Platform 
- TS//SI Processing 
• Tracking / Discovery 



INDUCTION 



Distributed Processing (Cloud) 

- TS//SI Processing 

- Tracking / Discovery 

- PXE Boot Infrastructure 



M Multiple 
J tOGbps 



THIRD-EYE 

Cyber Metadata Processor 

- UNCLASSIFIED Processing 

- Metadata Production 



Multiple 1 Gbps 
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Current Status - SIGINT Deployments 




Special Source 

^ 100% INDUCTION coverage of main SSO vsites + metadata production 

^ THIRD-EYE metadata production at select new sites 

CRUCIBLE deployments to ne^\•ly emerging sites pre-SCIE em ironment (surve> ) 
^ Increase in link speeds 
Warranted Collection 

^ EONBLUE sensor deployment - full take collection 

^ FOlWSAT 

^ Recently upgraded to current EONBLUE code base, le\ eraging GCHQ 
Cl lOKEPOINT solution to integrate with en\ ironment (Virtuali/ed) 

^ Working on SUNWHEEL/SMO 

^ CHOKEPOINT system enroute to CASSIOPEIA 

^ No SUNWHEEL presence as of yet, plans to leverage Cl lOKEPOINT capability 
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* If any of these issues caused a schedule delay or need to be discussed further, 
include details in next slide. 
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56 Deployment at 3 edge gateway GC departments 
56 Dynamic defence is enabled at two of these sites 

56 Deployment at the main government backbone 
56 Dual lOGbps links (~3Gbps loading) 

56 Data volumes continue to increase due to Internet Access Point 
aggregation 

56 Currently performing full take and storage of all monitored 
traffic 

56 System performance issues, overall analyst usability issues 
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• While both ITS/SIGINT currently leverage EONBLUE 
software: 

The architectures are not aligned 
Configuration differs greatly 

Software x'ersions are not standard across programs 

The full capability of EONBLUE is not being leveraged equally 

across programs 
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Problem Statement 




^ Divergence 

Sensor architectures have diverged between ITS/SIGINT 
Within each area, versions are not standardized 

Management and Scalability 
Some configurations will not scale 
Difficult to manage current sensor environment 
36 High cost to grow existing solution (people, HW/SW costs) 

36 Duplication of Effort 

36 Divergence creates duplication of effort 

36 Limited resources are not focused on innovation and new 
challenges 
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Duplicate this slide as necessary if there is more than one issue. 

This and related slides can be moved to the appendix or hidden if necessary. 
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A Phased Approach 
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Tracking and Metadata 




Ensure EONBLUE is deployed in a standard fashion across all 

environments 



Upgrade SCNET to lOGbps 
EONBLUE 



Update all SIGINT collection 
sites to latest code release 






Produce Standard Metadata 



DNS Response 
Harvesting 



HTTP Client / 
Server Headers 



IP-to-IP Flow 
Summarizations 
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Address SCNET Scalability 



Reconfiguration / Design of Storage 
Solution 



Improved / Enforced data indexing and 
quering 






! Leverage Third-Eye Architecture 

f M 


Distributed Collection Grid 
(at multiple clients) 


Queries are Federated and 
Centrally Managed 


Enables unique data ingest 
at client department (i.e. 
Firewall Logs) 
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Full-Take Strategy 




Benefits 

Improve Performance 

Better data indexing techniques 
Federated queries across multiple systems 
^ Reduced Cost (Storage local to client departments) 

10,000$ -> 25,000$ per client 
Re-use of back-end Storage 

^ Enable departmental security officers / operators 

Capability of Third-Eye exceeds what is commercially available 

^ Cons 

^ Requires network connections to each GC Department 
Requires footprint within each departments datacenter 
^ Complexity of distributed processing 
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Sensor Interoperability ^ 
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Interoperability enables Synchronization 





ITS access to data collected by SIGINT sensors 

Outputs should be common to enable a common analyst platform 
^ Sensor environment should be seamlessly integrated 

Capability remains at cutting-edge 

^ Single release for all collection programs in SIGINT, all points of 
presence, and across both missions 

^ Management is simplified for operators, focusing on sensor 
expansions 

^ Standardized OS Versions and Optimizations 
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Synchronized Deployment Strategy 



Where do you deploy sensors to maximize detection 
capabilities for Foreign Intelligence collection and Network 
Defence 

Coverage-based deployment considerations - what are the 
gaps? 




Threat-based deployment considerations - what are the gaps? 
9€ Based on EPRs 

Threat trends and forecasting reports 
Adversary TTPs 
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Oept 



Secure Channel 



FORNSAT 



Canadian Internet Space 



Foreign Internet Space 



System of 
Importance 



Foreign 
Internet Space 



Foreign Internet Space 



Foreign 
Internet Space 






GC Dept 



Defensive Monitoring 



GAZEBO Access 



Special Source / Special Access 
Warranted Access 
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56 Strategic Priorities for CSEC 

56 Strengthen “Team CSEC” and Prepare for Our New Facility 
56 Adopt Innovative and Agile Business Solutions 

56 Expand Our Access Footprint 
56 Improve Analytic Tradecraft 

56 Automate Manual Processes 

56 Synchronize the Cryptologic Enterprise for Cyber Security 
Mission 

56 Enable ^^Effects^^ for Threat Mitigation 
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Expand Our Access Footprint 

3€ We will increase SPECIAL SOURCE access to include all 
international gateways accessible from Canada. 

36 We will deploy a sensor system that creates a protective grid at 
multiple layers over Government operations in Canada, and at all 
classification levels. 

Improve Analytic Tradecraft 

36 We will equip SIGINT and cyber defence analysts with tools for 
flexible manipulation and customized analysis of large scale data 
sets. 

36 We will build analytic tradecraft that understands, anticipates, 
and exploits the methodology of threat agents to provide 
comprehensive cyber- situational awareness based on multiple 
sources of cryptologic data. 
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Cyber Sensor in 2015 







^ Syncluoilize the Ciyptologic Enterprise for the Cyber Security Mission 

^ We will improve how we anticipate, identify, track and mitigate cyber threats on 
government systems through new concepts of joint operations. 

^ We will design and develop joint SIGINT-ITS systems, including common data 
repositories, joint tasking and analytic systems. 

We will increase operational capacity by ensuring SIGINT, ITS, and cryptologic 
partner sensors interoperate seamlessly. 

We will synchronize and use ITS and SIGINT capabilities and complementary 
analyses to thwart cyber threats. 

^ Enable Effects^’ for Threat Mitigation 

^ We will seek the authority to conduct a wide spectrum of ElTects operations in 
support of our mandates. 

^ We will build the technical infrastructure, policy architecture and tradecraft 
necessary to conduct Effects operations. 

We will further integrate ITS and SIGINT authorities and operations to leverage 
common sensors, systems and capabilities necessary for active and expanded 
dynamic cyber defence measures. 
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The Network Is The Sensor 




Principles 



Security needs to be 
transparent to the 
user in order to be 
efTective 



End-Users should 
incur little cost for 
security 



IT Assets should be 
distributed 



Access is mandate / 
authority agnostic 









Goals 



Detect threats as they 
enter our national 
networks, not at the 
Gateway 



Identify Exfiltration, 
Command and 
Control, anywhere in 
our national networks 



The network is your 
defence for all 
infrastructure 




Rationale 



We can’t keep pace with 
our adversary 
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Principles Explained 







Security is Transparent 

^ If security inhibits functionality, or interferes with user experience 
it will be bypassed 

Security is a right 

^ Attempting to protect everybody with end-node / gateway 
defenses is not feasible. 

IT Assets should be distributed 

^ We run an open market, network providers will compete to 
provide access 

^ Consolidated gateways creates single points of failure 

^ Cost / Redundancy considerations 
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Detection before attack hits target 

^ If we wish to enable defence we must have intelligence to know 
when attacks enter our national infrastructure 

Identify Exfiltration / Command and Control 

^ Some attacks will slip through or can’t be seen (i.e. shaping) 

^ Exploit our temporal advantage - aggressively pursue these 
implants as they will communicate ‘home’ for instruction 

The Network IS your Defence 

^ In some cases, in cooperation with our partners we can affect 
change at the CORE of the Internet on detection: 

Modify traffic routes 

Silently discard malicious traffic (hygiene filtering) 

Insert payload to disrupt adversaries 
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Rationale 




^ Keeping pace with the Adversary 

^ From the time a malicious PDF is opened, till SEEDSPFIERE has 
interactive control of a workstation is <3 minutes 

^ There are countless malicious actors (state, crime, generic malware) 

^ Gateway / End-Node Defence by itself is insufficient 

^ It is only one part of the problem 

^ Over 600,000 Apps in the iTunes Appstore (How do you secure that?) 

^ Defence in Depth includes network monitoring, and network interaction 

^ Build better Defence 

^ Our current MO is to resolve one incident at a time 

^ Automate the defence through a robust network capable of not only 
detection, but manipulation of malicious traffic 
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What does it Mean? 




^ EONBLUE will be integrated into the Network 

^ Monitoring Government of Canada 

^ Monitoring Core Infrastructure (Special Source) extending the 
reach to view national infrastructure 

^ Monitoring foreign Internet Space 

^ EONBLUE will enable defensive operations 

^ Through robust communication with host-based capabilities 
^ Through direct manipulation of network communications 
^ Through interaction with Teleco infrastructure to affect change 
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Tipping and Cueing 

If the purpose is to enable defence of national infrastructure it becomes 
unnecessary in a 5 -eyes context 

Wc have full visibility of our national infrastructure 

The chance of ‘beating’ the internet for latency of an attack is minimal 

The network will perform the filtering 

^ What if instead T&C enables intelligence collection (Cyber Session 
Collection)? 

Targeting and Tasking 

^ We all share common targets and we will all target using our national capability 
the cyber threats we know about 

^ No need for party tasking / targeting requests. Instead expose cyber 
information across the community 

^ What if instead we focus on analytic collaboration and knowledge transfer 
TEXPRO information, federated repositories (malware/traffic), etc 
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Foreign SIGINT Intercept 

^ Becomes the ‘hunting ground’ for discovery of new threats 

^ Enables attribution and counter-intelligence reporting 

^ Defence is taken care of by ‘The Network’ 

^ Mobile Platforms are the next frontier, what is their implication 
on Cyber? 

^ Domestic Defence 

^ We will exhaust the treasury deploying network appliances to 
perform dynamic defence 

^ The same capabilities will be integrated into the CORE of the 
Internet 

^ Defence in Depth through complimentary capabilities on end- 
nodes, at the gateway, and in the core of the Internet. 
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Conclusion f 




CASCADE 



^ The harmonization of ITS/SIGINT Sensor capabilities 

^ Lays the foundation for long-term integration of Cyber within the 
Cryptologic Enterprise 



Towards 2015 

^ The Network is the Sensor 

Defence, Mitigation, Intelligence all formed from a single 
comprehensive network creating a perimeter around Canada 

Extending our reach through 5-eyes partnerships to ensure mutual 
defence of national assets. 
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CSEC SIGINT Cyber Discovery: 
Summary of the current effort 




Communications Security Establishment Canada 
Covert Network Threats 
Cyber-Counterintelligence 




Discovery Conference 
GCHQ - November 201 0 



Sdfegudrding Csnadd^s security through information superiority 
Preserver la securite du Canada par la superiorite de rinformation 



Canada 




TOP SECRET II COMINT 



■ ^ ■ Communications Security Centre de la securite 
B ^ ■ Establishment Canada des telecommunications Canada 

— i^— — — ^^1^ 

Outline 



• CSEC SIGINT Cyber 

- KOG (CCNE) 

- GA4 (GND) 

- CNT1 (CCI) 

• CSEC SIGINT Cyber - Operational Discovery 

- Network Based Anomaly Detection 

- Host Based Anomaly Detection 

• Contacts 
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CSEC Cyber Counterintelligence 




Target develo 



Active collec 



ttribute 




ersona 



haracterize 



rack 



Collection 



atures 
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Counter CNE (KOG) ^ 

• Part of CSEC CNE operations (KO) 

• Recently formed matrix team 

• Analysts and operators from CNE Operations, Cyber- 
Counterintelligence and Global Network Detection 

• Mandate: 

- Provide situational awareness to CNE operators 

- Discover unknown actors on existing CNE targets 

- Detect known actors on covert infrastructure 

- Pursue known actors through CNE 
— Review OPSEC of CNE operations 
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Global Network Detection (GND) 




• Develop capabilities to improve the 
ability of the SIGINT collection system 
to detect Computer Network Exploitation 
and Computer Network Attack 




• Help enable CSEC’s CNE program through timely identification of 
vulnerable computer systems and foreign CNE 
methodologies/activities 



• Act as technical liaison between IT Security and SIGINT for CNO 
issues 
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Cyber Counterintelligence (CNT1) M 

• Covert Network Threats (New Directorate within CSEC) 

- CNT1 (Cyber Counterintelligence) 

- CNT2 (Traditional Counterintelligence) 

• CNT1 Mission 

- To produce intelligence on the capabilities, intentions and 
activities of Hostile Intelligence Services to support 
Counterintelligence activities at home and abroad. 

• Fusion of Cyber Analytic Skills with Traditional 
Counterintelligence Analytic Skills 

- All Cyber-Counterintelligence Investigations should lead to Traditional 
Counterintelligence investigations. 



Safeguarding 

Preserver la seca 
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CSEC SIGINT CCI Discovery 
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CSEC CNE (K) - WARRIORPRIDE 



• WARRIORPRIDE (WP): 

- Scalable, Flexible, Portable CNE platform 

- Unified framework within CSEC and across the 5 eyes 

- WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ 

- xml command output to operators 

• Several plugins used for machine recon / OPSEC assessment 
Several WP plugins are useful for CCNE: 

— Slipstream : machine reconnaissance 

- ImplantDetector ; implant detection 

- RootkitDetector : rootkit detection 

— Chordflier/U_ftp : file identification / retrieval 

- NameDropper : DNS 

— WormWood : network sniffing and characterization 
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KOG - ReplicantFarm 




• Created to leverage the WP XML output in a 
meaningful way 

• Module based parser/alert system running on real-time 
CNE operational data 

• Custom/module based analysis: 

- Actors 

- Implant technology 

- Host based signatures 

- Network based signatures 



Safeguarding Canada’s security through information superiority 
Preserver la securite du Canada par la superiorite de I’information 



Canada 



TOP SECRET II COMINT 



Communications Security Centre de la securite 
Establishment Canada des telecommunications Canada 



Establishment Canada 




REPLICANTFARM generic modules 



Packed 

Peb modification 
Privileges 
MS pretender 

System32 “variables” Other ideas . . . . 

• Strange DLL 
extensions 



Cloaked 
Recycler 
Rar password 
Tmp executable 



Kernel cloaking 
Schedule at 
Ntuninstall execution 
hidden 
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Generic modules : example 




my @runningProcs = xmlJsProcessRunning( $xml, 'svchost.{1,3}\\.exe , 

'winlogon.{1 ,3}\\.exe', 

'services. {1 ,3}\\.exe', 

'lsass.{1,3}\\.exe', 

'spoolsv.{1 ,3}\\.exe', 

'autochk.{1,3}\\.exe', 

'logon.{1,3}\\.scr', 

'rundll32.{1,3}\\.exe', 

'chkdsk.{1,3}\Vexe’, 

'chkntfs.{1,3}\\.exe' , 

'logonui.{1,3}\\.exe', 

'ntoskrnl.{1 ,3}\\.exe', 

'ntvdm.{1,3}\\.exe', 

'rdpclip.{1,3}\Vexe', 

'taskmgr.{1,3}\\.exe', 

'userinit.{1,3}\\.exe', 

'wscntfy.{1 ,3}\\.exe', 

'tcpmon.{1,3}\\.dir ); 



foreach my $runningProc (@runningProcs) 

$alertText .= "Suspicious process detected, legitimate exe named appended with string. 
$runningProc . ".\n"; 
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^ CCNE/Qpsec WPID Alette - Firefox 




File Edit View History Bookmarks lools Help 

c ^ 

p Most Visited ^ Getting Started Latest Headlines tt LTT < Operatio ns < TW... « Opsec - klsvn - Trac ^ CCNE/Qpsec Systems _ http://obelix/system!nfo/ 
CCNE/Opsec WPID Alerts 



, Exploits 



, CCNE/Opsec WPID Alerts 



CCNE/Opsec WPID Alerts 



CCNE/Opsec WTID Alerts 



REPLICANTFARM 



Vote tknt the search is done with the fields as perl regular expression... 








dLxracter 

tril6curc» 

• Dot -Star (.*) 
means any 
manber of 
characters 

• Stnale 

5r~s.i..i3 

• ClassC 
5i‘.8.r. 

• InarastTBCttsre: 

^50.. 


Cmrcsit Modules: 

mod_1000_\V‘H_Iirvlaiit.pl 

modLlOO_MM_SHEPHERD.pl 

mod_10i_MM_CARBON.pl 

modIl02_MM_RE<SACKU?.pl 

mod_103_MM_DOaiOUSE.pl 

modIl04_MM_WALKER-pl 


mod_1100_VO_Implant.pl 
mod_l l_cloakad.pl 
mod_1200_AF_ALOOFNESS.pl 
mod_i2_system3 2var.pl 
mod_13_rarpassword.pl 
mod_14_stransadUextensions.pl 


mod_15_procParents.pl 
mod_l 6_racyclerexec.pl 
mod_17_tmpexec.pl 
mod_l S_password51ters.pl 
mod_19_kemelcloakmE.pl 
mod_l _packad.pl 


mod_200_SD_MI20.pl 
inQd_20 l_SD_MI25FTP.pl 

mod_20_pefemodificatton.pl 
mod_21_schedBleat.pl 
mod_22_ntBntnstaHexec.pl 
mod_23_hi6den .pi 


mod_24_axpectedArEcments.pl 
mod 25_privil^e».pl 
mod 300 UNK_TCPSRV32.pl 
mod_301_L'N'K_BLAZINGANGEL.pl 
mod 302_TINYWEB.pl 
mod_303_L'N'K_CYDLL .pi 


mod_304_UNK_WTN?AC? .pi 

mod_305_L'N'K_IASEX.pl 

mod 306 UTIK.WINUPDATE.pl 

mod 307_UNi:_QLT%TRINGSQUAB.pl 

mod_308_UNK_WTNDO.pl 

mod_309_UN’K_DIESELRATTLE.pl 


mod_310_UNK_WTDOWTCEY.pl 

mod_311_UNK_CI\'ETCAT.pl 

fflod_3_mspretender.pl 

mod_400_SS_WTNBEE.pl 

mod_40 l_SS_SSLINST.pl 

mod_4C2_SS_SharpR_pl 


me 

mo 

mo 

tnc 

mo 

mo 




Submit Query | 



ALERTS 





Module: 


Date; 


Tag: 




niod_103_MM_DOGHOUSE.pl 


2010-01-21T15G639.968 


MM 



File name: ..‘datastore/zffchiv*&‘2010/01/21/15 

/iagX)000272485_18_Y2010M01D21_H15M28S59_MS642MU500NSQ_RXID050_000_0 



Details: 

Possible MM DOGHOUSE drb'er Se; C: UTNNT SNtUiimstanQ244598S. 

Possible MM DOGHOUSE drb'er ffle: Ci^TNOT SNtUianstanQ244598S^^^^^ 
Possible MM DOGHOUSE drb’er ffle; C:WTNW SNlUninstanQ244598S nettjt.sys. 
Possible MM DOGHOUSE drb'ei ffle; C; SNtUnmstaIlQ244598S tcpi^ 

Possible MM DOGHOUSE drh’er ffle; C:\UTNm SNtUomstaIK3244598S hot6tjnf. 



-=PUXLEDPORK= 
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EONBLUE 



• CSEC cyber threat detection platform 

• Over 8 years of development effort 

• Scales to backbone internet speeds 

• Over 200 sensors deployed across the globe 





Defence at 
the core of 
the Internet 
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Anomaly Detection Tools 




• There are currently over 50 modules in Slipstream 

- RFC Validation 

- Heuristic Checks 

- Periodicity 

- Simple Encryption 

- Streaming Attack Detection 

- Analyst Utilities 

• Not all of these tools are ‘YES/NO’, some will require some 
work. 
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Heuristic Example 




• QUANTUM 

- It’s no lie, quantum is cool. 

• But its easy to find 

- Analyze first content carrying packet 

• Check for sequence number duplication, but different data size 

• If content differs within the first 10% of the pkt payload, alert. 
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What’s Next? 




• Anomaly Discovery at scale 

- Multi-10G anonnaly detection 

• Cross Agency communication of anomalies 

- Sometimes signatures aren’t enough 

• DONUTS! 

- E veryone likes them: 

- 5-eyes accessible DONUTS 

• Discovery of New Unidentified Threats 

• CSEC / GCHQ right now 
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Global Access Roadmap supporting SRSG and WISDEN Scenarios 



Topi c 



Desir^ Out c ome s 



# Activity 



Calendar Y e ar: 2010 Calendar Year 20 U 

ty - Sep (Q3) Oct - 0«c (Q4) Jan - Mar (Ql) Apr - Jun (Q2) My • Sep (Q3) Oct - 0«c (Q4) 



Metadata 

Sharing 



- Shared Situational 
Awareness 

- Assess value of metadata 
sharing 

- Develop Use-Cases for 
Sharing 

- Develop Requirments for 
NRT tipping 



Bulk daily sharing of Cyber Event Metadata with 5- 



m .2 Receive Metadata from partner agencies 

M.3 Report on value of metadata sharing ^ 

M .4 Instrument NRT sharing of CSEC Cyber Event Metadata | PSP/<^ 
M.5 Report on NRT sharing (value / lessons learned / reqt's) 

M.6 Enrich NRT feed with Geolocation / ASN 
M.7 Add Impact information to event metadata 
M.8 Extend Deadsea Uve feed from CSEC to GCHQ 



M.9 Receive FastFlux metadata (tip) b/w GHCQ/CSEC (see T.6/T.7) 



S I Replace existing signature management with HalterHItch 



- Replace current Signature „ _ 

Management system s .2 implement Impacts with DGI for Signatures (re-enter in HH; 

- Impacts to support Action- s.3 Decommission current targetting process and replace with HH 
Signatures on / Cueing and enhance s.4 Report on HH (value / lessosn learned / requirments / etc) 

and Metadata feed s.s open SIGINT HH repository to ITS for Signature Sharing 

Target - Provide context to metadata ^ g siGINT HH repository to 5-eyes to retrieve signatures 
Knowledge - Experiment with TKB to ^ ^ nSpaces with CTEC / TAC / NAC / DGI | 

gather requirments ^ ^ Report on value of nSpaces to support Target Knowledge 

- create baselme of cyber ^.9 seLo Collaborative Web Environment 



knowledge 



Sharing 

Cyber 

Content 



- Create a shared 
environment to experiment 
with content sharing 

- Develop requirments / 
lessons learned on sharing 
content 

Illustrate equitable 



C l Establish Cyber Play-Pen 
C .2 Upgrade EONBLUE for use in Cyber Play-Pen 
C.3 Assist in porting EONBLUE capability to PPF 
C.4 Promote EONBLUE / PPF content to shared XKS 
c.5 Evaluate retrieving GHCQ content based on events from XKS 
C.6 Trial feeding EONBLUE events at CSEC to a local XKS 
. ..... C.7 Evaluate opening CSEC Cyber-XKS to GCHQ 

Sr co«;“?ha'rg ^SEC Cyber-XKS Inte*^ to 5-eyes 

h„ilrene>isnna metadata o » Report on content sharing exper.ments 



GTE/CNO 



- Leverage EONBLUE's native t.i Send EONBLUE cue's across Canadian SSO Sites 
messaging to extend national t .2 Send EONBLUE cue’s between Canadian Passive Programs 
T .3 Instrument Cyber Session Collection Domestically 
T .4 Send tips on GoC activity to IT Security | 

T .5 Send EONBLUE cue's from Canadian SSO to ITS Sensors 
T.6 Introduce and develop Cyber Session Collection Experiment 
T .7 Tip FASTFLUX events from CSEC to GCHQ 1 

T.8 Extend EONBLUE FastFlux cue's to GCHQ FastFlux Software 
T.9 Receive cue's from GCHQ's FastFlux Software at EONBLUE 
T.KMake FASTFLUX tips available to other 5-eyes agencies 
T.i Tip in NRT EONBLUE messages to 5-eyes based on IP-Geo 
T.i;Send EONBLUE cue's from CSEC EONBLUE to DSD EONBLUE 
T.i; Based on equitable processing (C.3) send cue's tp GCHQ 
T.i« Prepare repKjrt on Tipping / Cueing (requirments / value / etc) 



capability (within SIGINT / 
with ITS) 

- Based on existing bilateral 
partnerships trial tipping / 
cueing to enhance content 

Tipping and sharing / metadata sharing 
Cueing . international EONBLUE 
and similar components with 
FASTFLUX as trial 

- Tip in NRT SIGINT events 
related to partner countries 



□ 
















GTE/GND 
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CNT1 - Analysis 




• Triage leads from KOG and GA4 

- Links to existing intrusion sets? 

• Pursue interesting leads 

- Passive SIGINT collection 

- Technical analysis 

• Produce reporting 

• Attribute 
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Analytic Approach 




1. Begin with lead 

2. Apply to SIGINT 

3. Apply to CCNE 

4. Track, research and 
report 

5. Generate persona lead 

6. Coordinate with 
traditional Cl 
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Cyber-Specifics of the Analytic Approach 




Network Traffic Analysis 

- We have access to Special Source, Warranted and 2"^ Party 
collection in raw, unprocessed form 

- Work very closely with protocol and crypt analysts 

Malware Analysis and Reverse Engineering 

- Samples are received through passive collection and human 
sources 

Forensic Analysis 

- Assist traditional Cl investigations and others 
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CSEC Contacts 



CCI(CNT1) CCNE(KOG) 




ioops@cse-cst.gc.ca 



kO-ccne-d I @po . cse 
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ga4-staff@cse-cst.gc.ca 
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* Passive Cyber Threat Detection Platform - EON BLUE 
* Currently deployed alongside traditional DNI Collection 
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Cyber Threat Detectioi 





(SPECIALSOURCE, Warranted Access, FORNSAT, etc) 

* Packet Processing capability tailored to Cyber built over a 6+ year period 

* Cyber Threat Tracking (Deep Packet Inspection signatures for ‘known’ intrusions) 

* Cyber Threat Discovery (Anomaly Detection for discovering unknown intrusions) 

* In 2009 an average of 11 5,000 Traffic Items collected dally from Canadian and Allied 
Sources 

* Collection from allies is crucial to success, but based on IP Address collection 
(causes over collect, sessionization corrupts data, difficult to analyze with Cyber 
toolkit) 

* POC: Global Network Detection ^^^|@cse-cst.gc.ca) 
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Holistic Cyber Threat Capability 





Mitigation 
Knowledge Transfer 
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CSEC - SIGINT Supporting CND 




• Globally pervasive threat 

- Covered by 5-Eyes network 

as one ... 

- Subject to CSEC cryptographic attack 

*^protocoIs ; 

aWareneS|,pf4^ JhrM engineered at 
CSEC 

• of 



gOVerQH|§{|ttP§fe!fi9il^ partner linguistic 
community 




modus ^ 
ity to stop or 



•C0° 

mitigaitecattoQj^apd)^if|]rtfisioasaiytics 

j. . and anomaly, deteotion , « 

diriccted asainst networks of 
. Exfiitrat^varuaDie infeliigence 

use to er 

our repositories 

These operations are also directed 
against GoC networks 

- Which we can detect and mitigate using 
both SIGINT and domestic sensors 



enhance 



fa06bOOk SEEDSHERE Applications Inbox Home Settings Logout 



SEEDSPHERE 



Ser 




is exfiltrating information from systems located across the globe 
and has no plans to stop anytime soon. 



See All Photos of Me (230) 
See All Friends (23) 

Edit My Profile 




See All 



Share ♦ 



SEEDSPHERE downloaded images from the Japanese Embassy' 
-^Jn Romania 1:25PM 



SEEDSPHERE added the Poison Ivy Application 2:13PM 



I am online now 



Friends 

23 Friends 




: communicated using the Poison 2:47PM 

VGfH>cyBpcyBhbiBtonVW2GVkIR<(kwluZyeUaGR)irak3(VpOTN«ERIY3J5cHR^ 



See All 



8 81 * 

DIESELRATTLE SIENNABLUE DOWNGRADE 



Places I've Been (125,234) 



Yesten^g)^ 



^EDSPHERE is abusing the DNS Protocol 4:36PM 
Last Week 

SEEDSPHERE is taking the day off on Chinese New Year 12:00AM 

The Wall 

See Ail 




wrote: 

V '^7 :iy If 7* i 



Groups 



See All 

Windows Internals, 3322.org, bosee.net, 
lovequintet.org, lovetrio.com, Chinese 

iinripmrTMind 
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Front-end Cyber Tradecraft 




* Deployed high-speed clustered storage to our collection sites 

* Enables extraction / storing and processing of all HTTP metadata to identify Cyber Threat 
Anomalies 

* Leveraged by CSEC’s network knowledge engine to facilitate DNS Response harvesting 
and de-duplication 



cluster throughput (file system) 

•TOO Mb/s r 




Oe/11 06/14 06/16 06/18 06, ^21 06.<23 06f25 

■ Inbound ■ Outbound 




06/11 08/14 06/16 06/18 06.'21 06/23 OO.'ZS 

i System i User ■ Total 




06.1J oe.nj oe/13 «i/i4 c«/i5 06/i6 ot/v otnis oens oe.co O8/21 O6/22 o8/?o osyw 08/5« 



Black Line: Total data into the Cluster 
^Blue Line: Data Outbound from SAN 



Data deduplication at sight results in much 
better use of limited bandwidth 



Data into the cluster is balanced across 
multiple nodes. Each color denotes a 
separate node, automatically dividing the 
load amongst all systems 
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Joint Capability Development 

SIGINT / ITS - Cyber Threat Detection 





Fast Flux Botnet Detection - CROSSBOW 

A target-discovery algorithm deployed at CSEC SSO sites (currently operational) 

* Detects botnets that use the DNS protocol for command and control (i.e. the 
technique runs exclusively on metadata) 

* Initial planning phase Tipping/Cueing trials between SIGINT/ITS and the 5Eyes 
(stand-alone source code has been shared with 5Eyes, i.e. through T3IO) 

“Throw-away” Cyber Threat Detection Sensor - CRUCIBLE 

* A low-cost, rapidly-deployed passive cyber threat detection sensor designed for 
use with TS//SI signatures in a non-SCIF environment (cyber target-tracking 
capability) 

* Strength of the sensor is derived primarily by the logical countermeasures ( i.e. 
cryptographic hashes and bloom filters) 



POC: 




DG ITS Operations 




cse-cst.gc.ca) 



Canada 
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Sample of Fast Flux Activity Detected ^ 



Square nodes: contacted by fast flux “bots” 
Diamond nodes; fast flux “bots” 

Oval nodes; suspected fast flux domain 




1 



1 week of detected fast flux activity for a particular fast flux domain at a CSEC access 
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Joint Capability Development 

SIGINT / ITS - Cyber Threat Detection 



Scanning Detection - LODESTONE 
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Cyber Threat Detection 




• Passive Cyber Threat Detection Platform - EONBLUE 
• Currently deployed alongside traditional DNI Collection 



(SPECIALSOURCE, Warranted Access, FORNSAT, etc) 

* Packet Processing capability tailored to Cyber built over a 6+ year period 

* Cyber Threat Tracking (Deep Packet Inspection signatures for ‘known’ intrusions) 

* Cyber Threat Discovery (Anomaly Detection for discovering unknown intrusions) 
* In 2009 an average of 1 1 5,000 Traffic Items collected daily from Canadian and Allied 



* Collection from allies is crucial to success, but based on IP Address collection 
(causes over collect, sessionization corrupts data, difficult to analyze with Cyber 



Sources 



toolkit) 



* POC: 




Global Network Detection 
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Holistic Cyber Threat Capability 





CanadS 



TOP SECRET//COMINT 









CSEC - SIGINT Supporting CND 
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• Globally pervasive threat 

- Covered by 5-Eyes network 

♦CSlRfBzfAfi?ie^f()!i§Rking as one ... 

Subject to CSEC cryptographic attack 

•• §ti9Bftional 

•^protocols . 

aWarepi^SS « 

CSEC 



; engineered at 



of 

go ver!wttiiittjlg|e'®6fes partner linguistic 
community 

cMSflrtfiteWfilS W or 

mitigat]e(atkHQi^iaiid)^tilr(iMioQSaiytics 

j • 4. ajid a nQWl§J)4. deteotio n , ^ 

impor^lH(^la4|0« ll^lQmd use to enhance 
our repositories 

• These operations are also directed 
against GoC networks 

- Which we can detect and mitigate using 
both SIGINT and domestic sensors 



facebook *hoihim Appfc»Moi» 



SEtOSPHERE 

n fiWrmioj n»otm«t>oo frnm t/wm t<Mt6 aeron tN* jwx* 
«mJ ho no pUM (o 4top *rvu™« 




T UW ? :# T fc U« J; -sr » C VT tt It ^ iS'^ 
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Speaker; 




-Added the health and status of Government network bullet 

-Removed ‘4"’ party’ and instead mention how it enhances our repositories (will 

introduce 4"* party here) 
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Front-end Cyber Tradecraft 




Deployed high-speed clustered storage to our collection sites 

♦ Enables extraction / storing and processing of all HTTP metadata to identify Cyber Threat 
Anomalies 

♦ Leveraged by CSEC’s network knowledge engine to facilitate DNS Response harvesting 



and de-duplication 



cluster througtiput (file system) 




Data tlaluplicalion at siglit results in inucli 
better use of limited baadwidtli 



Data into the cluster is balanced across 
multiple nodes, luich color demMes a 
separate node, automatically dividing the 
load amongst all systems 



Canada 
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"" Joint Capability Development 

SIGINT / ITS - Cyber Threat Detection 

* Fast Flux Botnet Detection - CROSSBOW 

* A target-discovery algorithm deployed at CSEC SSO sites (currently operational) 

* Detects botnets that use the DNS protocol for command and control (i.e. the 
technique runs exclusively on metadata) 

* Initial planning phase Tipping/Cueing trials between SIGINT/ITS and the SEyes 
(stand-alone source code has been shared with SEyes, i.e. through T3IO) 

* “Throw-away” Cyber Threat Detection Sensor - CRUCIBLE 

* A low-cost, rapidly-deployed passive cyber threat detection sensor designed for 
use with TS//SI signatures in a non-SCIF environment (cyber target-tracking 




capability) 

Strength of the sensor is derived primarily by the logical countermeasures ( i.e. 
cryptographic hashes and bloom filters) 



POC: 



I DG ITS Operations 
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Sample of Fast Flux Activity Detected 




Square nodes; contacted by fast flux “bots” 
Diamond nodes; fast flux “bots” 

Oval nodes; suspected fast flux domain 




1 

1 week of detected fast flux activity for a particular fast flux domain at a CSEC access 
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Joint Capability Development 

<!ir;iNT / tTS - Cvber Threat Detection 




* 



Scanning Detection - LODESTONE 
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CSEC Cyber Threat Capabilities 

SIGINT and ITS: an end-to-end approach 
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Cyber Security 



• What do we mean by Cyber? 

- Detection / Discovery and Tracking of State-Sponsored 
Hacking 

- Counter-Intelligence Reporting / Mitigation Advice and Defence 
against Cyber Threats 

• SIGINT Detects Cyber Activity 

- Access Canadian and Allied collection to discover and track 
covert networks (counter-intelligence) 

• IT Security Defends against Cyber Activity 

- Sensors Government of Canada networks to identify malicious 
activity and enhance defences 
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Comprehensive Cyber Capabilities 






a Processing • 

4 « and Enrichment ! 

i- ! W 

• Protocol Analysis i 



Protocol Analysis | 




Intelligence 



_ y/ 

Counter Intelligence 



S |tyts Threat 

Evaluation 

Knowledge Transfer 
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The Grand Challenge - Detection 






EONBLUE is the cyber threat detection sensor 
developed and deployed in SIGINT and ITS 

- Cyber threat tracking (signature-based detection) 

- Cyber threat discovery (anomaly-based detection) 




• A 6+ year effort that incorporates the best of breed 
detection algorithms/technology in collaboration with 
our 5-eyes partners 

- Based on classified knowledge 

- Scales to major ISP network speeds (10G) 

- Enables rapid prototyping to adapt to ever changing threats 
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The Cyber Landscape 



• Adversaries and Targets 

- Operate globally 

- Varying degrees of sophistication 

- Constantly changing tools and techniques 




• Detection / Discovery 

- Tools must operate at all network speeds 

- Deep Packet Inspection at scale 

- Targeting tradecraft / protocols vs. individuals 

- We must ‘live’ in cyber space 
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Why is Cyber Critical? 



Nodong Missile 
Range: 1300km 
Type: Ballistic 



Korea 



Taepodong Missile 
Range: 2900km 
Type: Multistage 
Payload: Nuclear 
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Working in Cyber Space 



• Tools must adapt constantly / quickly 

- Signature based targeting 

- Metadata analytics 

- Custom tradecraft for discovery 




• Would I do a better job from my PC at home? 

- Enhance / Enable collaboration 

— Adopt Internet technologies on our Classified networks 

• SKYPE / Web 2.0 / Video Chat / Google Apps / etc 

- Centralize our ‘cyber’ analytics 

• CyberDMZ 
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SEEDSPHERE - Discovery 



• EONBLUE anomaly detection utilities isolate network 
anomalies 

- Discover network beacons in Warranted full-take collection 

• Knowledge developed is shared with CNE 

- During CNE activities, implant is found to be cohabitating 
— Implant is copied to CSEC HQ for reverse engineering 

• IT Security detects SEEDSPHERE attacks against 
Government of Canada weekly 
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Repositories - At Collection Site 



• Global Access is pushing tradecraft to the front-end of 
access 

- 50 terabytes of high speed storage 

- Processing over 125GB/hour of HTTP metadata 



Cluster throughput (file system) 

•CIO Mb/s 




06/11 06/14 06/16 06/18 06.^21 06.-23 06/25 

■ Inbound a Outbound 





06.12 0613 0613 0614 06/15 0616 0617 »16 0610 06^0 06«i 06« 06^4 



Black Line: Total data into the Cluster 
'Blue Line: Data Outbound from SAN 



06/11 08/14 06/16 06/18 06,^1 08/23 06.25 Data deduplicution at sight rosults in much 

‘ svstsrn . User . T.tai better use of limited bandwidth 

Safeguarding Canada’s security through information superiority 
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Data into the cluster is balanced across 
multiple nodes. Each color denotes a 
separate node, automatically dividing the 
load amongst all systems 
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Cyber Repositories 



• In 2009 an average of 1 12,794 IP traffic items related to cyber 
threat collected each day from Canadian and Allied sources 

• Traditional SIGINT sources prove invaluable in cyber threat 
analysis 

- Travel Tracking Databases used to attribute CNE activity along with 
SMS collection 

• IT Security domestic sensors store 300TB of full-take 

- Equivalent to ‘months’ of traffic 

- Enables historical analysis and anomaly detection 

• In 2009 IT Security domestic sensors enable 95 mitigation actions 



Safeguarding Canada’s security through information superiority 
Preserver la securite du Canada par la superiorite de I’information 



CanadS 




10 



1^1 Communications Security Centre de la securite TOP SECRET//COMINT//REL TO FVEY 

B ^ ■ Establishment Canada des telecommunications Canada 




F: Network Analysis 




VIOJS-AS VICUS S.A. 



LEVELS Level s Gomms. 



5EABONE-NET Telecom 
ltd id Sparkle 



BTN-A5N - Beyond The 
Network America^ 
Inc. 



HKIX-RS^Hcng Kong 
Intemeti^jchange-Route 
/'Server 1 



MZIMA - Mama Networks, 
Inc. \ 



■1 - Yahoo! 



TELIANET TdiaNet 
Global Nebvork 



Services, 

^I^d/b/a Verizon 
Business 



NTT-COMMUNK 



America, Inc. 



ALL5T-15290*,Ailstream 
CoraXTcrp. Aft^eam 



aOBEINXERNET TATA 
/Comms. 



'^’RINTLIhK - Sprint 



SAWIS - Sawis 



-THREE - RA-NAP 



CDAGOVn - Government 
Telcos, and Irformatics 
Services 



nj Internet Initiative 
Japan Inc. 



703 



3766 



DNDa=NET2 - Department 
of Nabonal Defence/DISEM 
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Cyber Analysis 
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Mitigation 

Direct protection of GC systems and information 

- Prevention and response activity 

- Leverage SIGINT and 5 Eyes intelligence, 
complemented by our own GC domestic 
sensor capabilities 

- Report: 



Government of Canada 




Cleanup / Strengthen 



Detection 



Discovery 



Proactive Defence 



Systems of Importance 



• Actionable technical mitigation reports provided to client’s I PC 

• Cyber threat situational awareness reports provided to 
departments 



- CSEC review of incidents against systems of importance 



- CSEC analysts deployed to capture technical evidence to 
develop/support mitigation activity 



- CSEC information is merged with all-source cyber threat activities to 
create complete picture of cyber threats 
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Positioning for the future 
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Synchronized SIGINT / ITS Mission Space 
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Situational Awareness 



• SA is: 

- The perception of environmental elements within a 
volume of space and time 

• The comprehension of their meaning 

• Projection of their status in the near future 

• Insight - the capacity to understand hidden truths 

• In the Cyber Context: 

- Gathering and enabling access to cyber information 

• Event Metadata / Event Content / Near Real-Time Exchange 

- Data mining of cyber information to create understanding in 
broader context 

- Predict our adversaries actions based on this knowledge 
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Cyber Session Collection 




CNE Actor 




Canada 
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Enabled by Sydney Resolution 




SIGINT Event Store 
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Tipping and Cueing (Why) 



• SIGINT - data volumes/network speeds impose severe temporal 
restrictions on collection (use it or lose it) 

- ability to extend cyber target tracking across all 5-Eyes accesses 
and/or analytic event stores instead of just domestic - global aperture 

- ability to uncover covert overlay networks 

- cyber session collection? Uncover tradecraft/binaries/exploit vectors... 






CND - network edge vs. network core (microscope vs. telescope) 

— enable mitigation of cyber exploitation and/or attack (dynamic 
defence) 

- facilitate indications and warning - can SIGINT provide me with the 
true threat picture in NRT? Could we detect “test firing” of new 
tools/tech n iq ues? 



- collaborative defence - can my partners see malicious activity in 
SIGINT against networks I need to protect? Can they tell me in NRT? 
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SIGINT -> ITS Tipping 



Sample of CNO tips provided to ITS from SIGINT SSO on May 05, 2010. 



DS800 

DS800 

DS800 

DS800 

DS800 

DS800 

DS800 

DS800 

DS800 

DS800 



SEEDSPHERE 

SEEDSPHERE 

SEEDSPHERE 

SEEDSPHERE 

SEEDSPHERE 

SEEDSPHERE 

SUPERDRAKE 

SEEDSPHERE 

SUPERDRAKE 

SEEDSPHERE 




The Network Name is: 
The Network Name is: 
The Network Name is: 
The Network Name is: 
The Network Name is: 



Canadian house of commons 
environment Canada 

federal office of regionai development (quebec) 
forestry Canada 

public works and government services Canada 
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Dynamic Defense 



• All elements acting as one 

• Defence at: 

- Network Edge (ITS) 

• Localized/tailored mitigation (e.g. blocking, binary neutering, 
redirection) 

• Focused response to ongoing and potential threats 

- Network Core (SIGINT) 

• Global mitigation possible (e.g. redirection, null routing, filtering) 

• Large scale (but still focused!) response to ongoing and potential 



- Adversary Space (CNE) 

• Reconnaissance - probe/explore/learn adversarial network space 

• Co-habitate covert network infrastructure for info gathering, tool 
extraction, etc 



threats 
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Cyber Activity Spectrum 

SECRET//COMINT 





Cross Domain Solution - Tipping and Cueing 
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Dynamic Defense Scenarios 




Network A 



Network B 



INTERNET 



ICNE Action 



Network C 



Rules Engine 



Honeynet 



Inline Defensive 
M Device 
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Next Steps 




1 — Domestic 


Jr 




• Synchronize SIGI NT and ITS Mission 




Consider 


• Alignment with Cyber Strategy 






• Funding 




• Legislative 
Amendments 


• Joint Approach for Domestic Partners 




• Develop Career 


• Recruitment and Staffing for Growth 




Framework 


• Joint Capabilities Development (Sensors and Analytics) 





International 
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If you build it... they will come 



Rather 

Than 
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CSEC Cyber Threat Capabilities 

SIGINT and ITS: an end-to-end approach 
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Cyber Security 

• What do we mean by Cyber? 

- Detection / Discovet7 and Tracking of State-Sponsored 
Hacking 

- Counter-Intelligence Reporting / Mitigation Advice and Defence 
against Cyber Threats 

• SIGINT Detects Cyber Activity 

- Access Canadian and Allied collection to discover and track 
covert networks (counter-intelligence) 

• IT Security Defends against Cyber Activity 

- Sensors Government of Canada networks to identify malicious 
activity and enhance defences 



Safeguarding Canada's secinity through information superiority 
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Comprehensive Cyber Capabilities 







Speak: 



(GA4) 



- Added output to the 5-Eyes which is labelled as Knowledge Transfer 
(mention the sharing of tradecraft / techniques / tools / etc) 

- Mention how analytic work load is split among parnters 
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The Grand Challenge - Detection 






• EON BLUE is the cyber threat detection sensor 
developed and deployed in SIGINT and ITS 

- Cyber threat tracking (signature-based detection) 

- Cyber threat discovery (anomaiy-based detection) 




• A 6+ year effort that incorporates the best of breed 
detection algorithms/technology in collaboration with 
our 5-eyes partners 

- Based on ciassified knowiedge 

- Scaies to major iSP network speeds (10G) 

- Enables rapid prototyping to adapt to ever changing threats 
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- Message is commercial is not enough 
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The Cyber Landscape 



• Adversaries and Targets 

- Operate globally 

- Varying degrees of sophistication 

- Constantly changing tools and techniques 




• Detection / Discovery 

- Tools must operate at all network speeds 

- Deep Packet Inspection at scale 

- Targeting tradecraft / protocols vs. individuals 

- We must ‘live’ in cyber space 
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Why is Cyber Critical? 



Nodong Missile 
Range: 1300km 



h Korea 
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Working in Cyber Space 



• Tools must adapt constantly / quickly 

- Signature based targeting 

- Metadata analytics 

- Custom tradecraft for discovery 

• Would I do a better job from my PC at home? 

- Enhance / Enable collaboration 

- Adopt Internet technologies on our Classified networks 

• SKYPE / Web 2.0 / Video Chat / Google Apps / etc 

- Centralize our ‘cyber’ analytics 

• CyberDMZ 
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SEEDSPHERE - Discovery 



• EONBLUE anomaly detection utilities isolate network 
anomalies 

- Discover network beacons in Warranted full-take collection 

• Knowledge developed is shared with CNE 

- During CNE activities, implant is found to be cohabitating 

- Implant is copied to CSEC HQ for reverse engineering 

• IT Security detects SEEDSPHERE attacks against 
Government of Canada weekly 



"Major point: How it is an all-source collection effort to get the data 
"Explain the value of COVENANT to seed new discovery 
"How CNE is now seeding new discovery 
"How ITS detects attacks into GC 
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Repositories - At Collection Site 



• Global Access is pushing tradecraft to the front-end of 
access 

- 50 terabytes of high speed storage 

- Processing over 125GB/hour of HTTP metadata 




Speaker: 




We are talking about the massive volumes (Reference to earlier SSO brief hg). 
There is so much traff t we keep it at the front-end and do advanced 
datamining / new tradecraft development 

50TB = Library of Congress 3 times over 

125GB of data = 14 Hours of High Def hition Video 



SIGINT 2010 - Keep stuff online 
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Cyber Repositories 



• In 2009 an average of 11 2,794 IP traffic items related to cyber 
threat collected each day from Canadian and Allied sources 

• Traditional SIGINT sources prove invaluable in cyber threat 
analysis 

- Travel Tracking Databases used to attribute CNE activity along with 
SMS collection 

• IT Security domestic sensors store 300TB of full-take 

- Equivalent to ‘months’ of traffic 

- Enables historical analysis and anomaly detection 

• In 2009 IT Security domestic sensors enable 95 mitigation actions 



Major Point (Traff b breakdown is 70/30 for SIGINT) 

Canadian Collect is almost all actionable 

Canadian Collect is more precise because of EONBLUE 

IT Security generates Mass quantity of valuable information on attacks (Linked 
to their full take capability) 
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F: Network Analysis 




Speaker: 




- Expand on how ANT provides best point of access (TBD) 
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Cyber Analysis 
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Major Points — A lot goes into a Cyber Threat Report We must stay on top of 
Tasking, Traff t Analysis / Reverse Engineering, Network Analysis all feed 
into a Cyber Report. We do this quickly because of tradecraft 



12 





1^1 Commiinicalions Security Centre de la s6curit6 SECRET//COMINT//REL TO FVEY 

B ^ H Establishment Canada des tel^ommumcations Canada 



Mitigation 

• Direct protection of GC systems and information 

- Prevention and response activity 

- Leverage SIGINT and 5 Eyes intelligence, 
complemented by our own GC domestic 
sensor capabilities 






Government of Canada 




Cleanup / Strengthen 




Detection N. 


g 




s. 


1 / y^Defence^ 


\ 8 




j; a 


^ Depth 

1 \ j 


)/ p 


Discovery A 


g 



Proactive Def^e 
Systems of Importance 



- Report: 

• Actionable technical mitigation reports provided to client’s IPC 

• Cyber threat situational awareness reports provided to 
departments 



- CSEC review of incidents against systems of importance 



- CSEC analysts deployed to capture technical evidence to 
develop/support mitigation activity 



— CSEC information is merged with all-source cyber threat activities to 
create complete picture of cyber threats 
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Positioning for the future 




from RESPONSE to ACTION 
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Preserver la security du Canada par la supdriorite de I'information 
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Synchronized SIGINT / ITS Mission Space 
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Situational Awareness 



• SA is: 

- The perception of environmental elements vi/ithin a 
volume of space and time 

• The comprehension of their meaning 

• Projection of their status in the near future 

• Insight - the capacity to understand hidden truths 

• In the Cyber Context: 

- Gathering and enabling access to cyber information 

• Event Metadata / Event Content / Near Real-Time Exchange 

- Data mining of cyber information to create understanding in 
broader context 

- Predict our adversaries actions based on this knowledge 
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Cyber Session Collection 
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Enabled by Sydney Resolution 




Government Of Canada 



ITS Event Store 



ITS Analyst 



Photonic Prism 



Partner Messaging 



NRT Alertin^ngine 



Decision Logic 



SPECIAL SOURCE 



SIGINT Analyst 



SIGINT Event Store 
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Tipping and Cueing (Why) 



• SIGINT - data volumes/network speeds impose severe temporal 
restrictions on collection (use it or lose it) 

- ability to extend cyber target tracking across all 5-Eyes accesses 
and/or analytic event stores instead of just domestic - global aperture 

- ability to uncover covert overlay networks 

- cyber session collection? Uncover tradecraft/binaries/exploit vectors... 



• CND - network edge vs. network core (microscope vs. telescope) 

- enable mitigation of cyber exploitation and/or attack (dynamic 
defence) 

- facilitate indications and warning - can SIGINT provide me with the 
true threat picture in NRT? Could we detect "test firing” of new 
tools/techniques? 

- collaborative defence - can my partners see malicious activity in 
SIGINT against networks I need to protect? Can they tell me in NRT? 

Canada 
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SIGINT -> ITS Tipping 






Sample of CNO tips provided to ITS from SIGINT SSO on May 05, 2010. 



DS800I 

DS800I 

DS800I 

DS800I 

DS800I 

DS800I 

DS800I 

DS800I 

DS800I 

DS800I 



SEEDSPHERE 

SEEDSPHERE 

SEEDSPHERE 

SEEDSPHERE 

SEEDSPHERE 

SEEDSPHERE 

SUPERDRAKE 

SEEDSPHERE 

SUPERDRAKE 

SEEDSPHERE 




The Network Name is: 
The Network Name is: 
The Network Name is: 
The Network Name is: 
The Network Name is: 



Canadian house of commons 
environment Canada 

federal office of regionai deveiopment (quebec) 
forestry Canada 

pubiic works and government services Canada 
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Dynamic Defense 

• All elements acting as one 

• Defence at: 

- Network Edge (ITS) 

• Localized/tailored mitigation (e.g. blocking, binary neutering, 
redirection) 

• Focused response to ongoing and potential threats 

- Network Core (SIGINT) 

• Global mitigation possible (e.g. redirection, null routing, filtering) 

• Large scale (but still focused!) response to ongoing and potential 
threats 

- Adversary Space (CNE) 

• Reconnaissance - probe/explore/learn adversarial network space 

• Co-habitate covert network infrastructure for info gathering, tool 
extraction, etc 



Safeguarding Canada's secuiity through information superiority 
Preserver la s6curite du Canada pat la superiority de I'information 



Ginada 



TOP SECRET//SI//REL USA, EVEY 




National Security Agency/ 3 April 2013 

Central Security Service 

Information Paper 



Subject: (U//FOUO) NSA Intelligence Relationship with Canada’s 

Communications Security Establishment Canada (CSEC) 



(U) Introduction 



(U//FOUO) The U.S.-Canada SIGINT relationship dates back to an alliance formed during World 
War II. In 1949, the relationship was formalized under the CANUSA Agreement signed with 
CSEC. The basic tenet of CANUSA is cooperation in all aspects of SIGINT except when 
considered prejudicial to the national interests of one of the parties. The formal Information 
Assurance (lA) relationship with CSEC is based on a 1986 Memorandum of Agreement. NSA 
has a close, cooperative relationship with CSEC that both sides would like to see expanded and 
strengthened. 



(S//REL TO USA, CAN)) CSEC is a highly valued second party partner. The relationship is 
driven by our mutual interest in the defense of North America as a whole. Cooperative efforts 
include the exchange of liaison officers and integrees, joint projects, shared activities and a 
strong desire for closer collaboration in the area of cyber defense. Since Canada has a limited 
ability to produce cryptographic devices, it is a large consumer of U.S. lA products. 



(C//REL TO USA. 

NSA civilian, guides the continued success of the CANUSA relationship In Canada. 



staff have a close working relationship with|H^Hm Together they enable productive 
interactions with Canadian intelligence organizations in support of U.S. Intelligence Community 
goals. 



(U) Key Issues: NSA and CSEC cooperate closely in the following areas: 

• (TS//SI//REL TO USA, CAN) active computer network access and exploitation on a variety of 
foreign intelligence targets, including CT, Middle East, North Africa, Europe, and Mexico; 

• (U//FOUO) information assurance and critical infrastructure defense; and 

• (U//FOUO) evolving cyber capabilities and network security standards. 



Classifled By:|m 
Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20380401 
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(U) What NSA provides to the partner: 



(S//SI//REL TO USA, CAN) SIGINT: NSA and CSEC cooperate in targeting approximately 20 
high-priority countr ies 

shares 

developments, cryptologic capabilities, software and resources for state-of-the-art collection, 
processing and anal^ic efforts, and lA capabilities. The intelligence exchange with CSEC 
covers worldwide national and transnational targets. No Consolidated Cryptologic Program 
(CCP) money is allocated to CSEC, but NSA at times pays R&D and technology costs on shared 
projects with CSEC. 




(U) What the partner provides to NSA: 

(TS//SI///REL TO USA, CAN) CSEC offers resources for advanced collection, processing and 
analysis, and has opened covert sites at the request of NS A. CSEC shares with NSA their 
unique geographic access to areas unavailable to the U.S. and 

provides cryptographic products, cryptanalysis, te chnology, and software. CSEC has increased 
its investment in R&D projects of mutual interest. 
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